Kevan Miller wrote:
On Jun 30, 2009, at 10:26 AM, Joe Bohn wrote:
I tried some random URIs and always received a 404 back in my tests.
This could be a problem with the filter on the welcome application.
It currently has a context-root of "/" and the filter is registered
with a URL pattern of "/*".
OK, that would explain it... So, is there any reason to run XSS
filtering on the welcome app?
I'm not sure if there is a strong reason to have the filter applied to
the welcome application. I have this vague recollection of somebody
raising an issue earlier ... but I can't find any reference and after a
quick glance I don't see any obvious exposures.
It primarily includes links into our wiki documentation along with a few
other links (such as to the console and to subscribe to the mailing
lists).
Perhaps the mail subscription links might present an exposure?
Or perhaps on the IRC link?
Does anybody have an idea if this is really necessary? It seems like
overkill to me.
Joe
